From CT3

This document contains a sample SOHO router configuration. While it's probably secure enough for average SOHO office, you use it at your own risk.

Contents 1 Annotated configuration snippets 1.1 Logging and timezones 1.2 Global IP routing, DHCP and other services 1.3 Content-based Access Control 1.4 Global PPPoE commands 1.5 Interfaces 1.6 DNS server 1.7 Network Address Translation 1.8 Access lists and route maps 1.9 NTP configuration 1.10 Line configuration 2 Complete configuration

Annotated configuration snippets

Logging and timezones

Whenever you want to know when something happens in your network and don't have a centralized network management system, use NTP to synchronize the clock on your router with an external time source and enable date-time timestamps on all logging and debugging messages.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

You should disable console logging, enable logging buffer (to allow you to inspect the past events) and store logging messages into a file to ensure message persistence across router reloads.

hostname SOHO-firewall
!
logging buffered 128000
logging persistent url flash:/
no logging console

Use enable secret, not enable password. It's more secure and cannot be easily cracked.

enable secret *****

Configure your timezone (I'm in Europe which is 1 hour ahead of GMT) and daylight saving time if you want to be able to talk to the ISP support team and compare the times :)

clock timezone CET 1
clock summer-time CDT recurring last Sun Mar 2:00 last Sun Oct 3:00

Global IP routing, DHCP and other services

IP source routing should be disabled and you should use CEF (unless you hit a CEF-related bug that forces you to disable CEF :).

no ip source-route
!
ip cef

In SOHO environment, it's better if you configure DHCP on your router than on one of the workstations acting like a server. The default gateway and the DNS server are set to the router's IP address.

ip dhcp pool DHCP
   network 192.168.200.192 255.255.255.240
   default-router 192.168.200.193
   dns-server 192.168.200.193

You should also set the DNS parameters: the default timeout and the default domain.

ip domain timeout 2
ip domain name mydomain.com

If you want to upload files from the router using FTP, the FTP source interface has to be an inside interface, otherwise FTP to outside destinations fails.

ip ftp source-interface Vlan1

Content-based Access Control

To simplify your access lists and allow weird protocols like FTP to pass through them, you should configure stateful inspection (CBAC). All special protocols have to be listed first, followed by the protocol groups you want to support (usually you need all three). You should always inspect the router-generated traffic to ensure that the services started from the router itself (for example, NTP queries) work as expected.

ip inspect name FW ftp
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW icmp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW tcp router-traffic

Global PPPoE commands

These are the "mandatory" commands to make ADSL work. If you really want to know what they do, search Cisco IOS documentation.

multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
 l2tp tunnel receive-window 256
!
bba-group pppoe global

Interfaces

Outside interface configuration. ADSL is used, so we're just configuring the PPPoE dial pool.

interface FastEthernet0
 description outside LAN
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 3

1800-series router with integrated switch was used to generate this configuration. Each inside port appears as a separate FastEthernet interface and you have to use the VLAN interface to tie them together into a single IP subnet.

interface Vlan1
 ip address 192.168.200.193 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 load-interval 30

ADSL uplink is configured as a dialer interface. You have to configure the dialer interface as an outside NAT interface with CBAC inspection to enable the stateful firewall. The IP address is usually negotiated via IPCP and you should lower the MTU and MSS parameters since ADSL cannot transport 1500-byte packets. The dialer interface is tied to the Fast Ethernet physical interface with the dialer pool command and the dialer group command is just another thing we have to configure since the actual IOS code to support the dialer interfaces evolved from the real dialup links like ISDN.

To avoid the pitfalls of router-wide PPP authentication, it's best to configure all PPP CHAP parameters directly on the interface.

interface Dialer3
 description ADSL Uplink
 ip address negotiated
 ip access-group FW in
 ip mtu 1492
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer pool 3
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname *****
 ppp chap password *****
 ppp ipcp dns request accept

The default route points to the dialer interface.

ip route 0.0.0.0 0.0.0.0 Dialer3

DNS server

DNS server parameters are configured with the ip dns view default command (assuming you have late 12.4T or 12.5+). Yet again, the source interface for DNS resolver and DNS forwarder have to be set to one of the inside interfaces. The DNS forwarders could be set to the DNS servers of your ISP or to a public service like OpenDNS.

ip dns view default
 domain timeout 2
 domain resolver source-interface Vlan1
 dns forwarder 208.67.220.220
 dns forwarder 208.67.222.222
 dns forwarding source-interface Vlan1
ip dns server

Network Address Translation

NAT overload is configured on the Dialer interface. The route-map is not absolutely necessary but comes extremely handy if you want to configure multiple uplinks or Internet access in combination with company VPN (split VPN).

ip nat inside source route-map Dialer3 interface Dialer3 overload

Access lists and route maps

The access-list that serves as the basis for CBAC should be as restrictive as possible. ICMPs usually don't do much harm (at least not to the router) and it's safe to allow NTP from a well-known NTP server. You might not want to log all failures (as I do), as this generates lots of logging traffic (more so if you use peer-to-peer networking).

ip access-list extended FW
 permit icmp any any
 permit udp host 129.132.97.15 eq ntp any
 deny   ip any any log

The access-list 90 is used to limit access to the router. Unless you have special needs, allowing only the inside IP subnet to access the router is a good idea.

access-list 50 permit 192.168.200.192 0.0.0.15

The dialer-list and dialer-related access-list are just pro-forma commands that have to be entered.

access-list 199 permit ip any any
dialer-list 1 protocol ip list 199

The NAT route-map is extremely simple: translate everything that goes out of Dialer3 interface.

route-map Dialer3 permit 10
 match interface Dialer3

NTP configuration

Usually you should enable NTP logging, unless it generates too much noise. If at all possible, configure an NTP server to ensure you have correct time

ntp logging
ntp server 129.132.97.15 prefer

Line configuration

And finally the line configuration. Password-based authentication should be enough for a SOHO office.

line con 0
 login
 password *****
line vty 0 4
 password ****
 login
 access-class 90 in
 transport input telnet ssh

Complete configuration

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SOHO-firewall
!
logging buffered 128000
logging persistent url flash:/
no logging console
enable secret *****
!
clock timezone CET 1
clock summer-time CDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ip source-route
!
ip cef
!
ip dhcp pool DHCP
   network 192.168.200.192 255.255.255.240
   default-router 192.168.200.193
   dns-server 192.168.200.193
!
ip domain timeout 2
ip domain name mydomain.com
!
ip inspect name FW ftp
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW icmp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW tcp router-traffic
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
 l2tp tunnel receive-window 256
!
ip ftp source-interface Vlan1
!
bba-group pppoe global
!
interface FastEthernet0
 description outside LAN
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 3
!
interface Vlan1
 ip address 192.168.200.193 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 load-interval 30
!
interface Dialer3
 description ADSL Uplink
 ip address negotiated
 ip access-group FW in
 ip mtu 1492
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer pool 3
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname *****
 ppp chap password *****
 ppp ipcp dns request accept
!
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip dns view default
 domain timeout 2
 domain resolver source-interface Vlan1
 dns forwarder 208.67.220.220
 dns forwarder 208.67.222.222
 dns forwarding source-interface Vlan1
ip dns server
!
ip nat inside source route-map Dialer3 interface Dialer3 overload
!
ip access-list extended FW
 permit icmp any any
 permit udp host 129.132.97.15 eq ntp any
 deny   ip any any log
!
access-list 199 permit ip any any
dialer-list 1 protocol ip list 199
!
route-map Dialer3 permit 10
 match interface Dialer3
!
ntp logging
ntp server 129.132.97.15 prefer
!
line con 0
 login
 password *****
line vty 0 4
 password ****
 login
 access-class 90 in
 transport input telnet ssh
!
end